Dependabot

Github performs static scanning of a projects dependencies using Dependabot. The tool sends you an email regarding any dependencies that need to be updated due to some security vulnerability and generates a pull request in your project. With our current docker TEST swarm, we can easily test each pull request.

• First, you get the GitHub pull requests list up for reference:
     https://github.com/UniversityOfHawaii/kuali-build-sync/pulls
• Then, open the jenkins continuous integration jobs and go to the pull requests tab:
   https://doctest.pvt.hawaii.edu/cis/job/kuali-build-sync/job/continuous-integration/job/kuali-build-sync/view/change-requests/
• Then, start with whatever pull request you want to check and just run the build for it. That will build and deploy a version that includes that pull request.
• If the version change is pretty small and the build passes, you could probably just merge it in.
• If the build passes, but it looks like a little bit of a bigger change, you could actually go hit the newly deployed version to test it.
• If the build breaks, then you can use the PR to track the work needed to be done to get it working.

So, if you get in the habit of doing it, it makes it pretty easy to stay current with your dependencies.  I'm not really in the habit, yet, but it would be easy in a long term application that isn't in constant churn. Usually you won't even need to do anything on your local machine.  You can just do everything through GitHub and Jenkins.